suricata
log-droplog.c
Go to the documentation of this file.
1 /* Copyright (C) 2007-2013 Open Information Security Foundation
2  *
3  * You can copy, redistribute or modify this Program under the terms of
4  * the GNU General Public License version 2 as published by the Free
5  * Software Foundation.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * version 2 along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
15  * 02110-1301, USA.
16  */
17 
18 /**
19  * \file
20  *
21  * \author Gurvinder Singh <gurvindersinghdahiya@gmail.com>
22  * \author Victor Julien <victor@inliniac.net>
23  *
24  * Drop log module to log the dropped packet information in a format
25  * compatible to Linux' Netfilter.
26  */
27 
28 #include "suricata-common.h"
29 #include "debug.h"
30 #include "detect.h"
31 #include "flow.h"
32 #include "conf.h"
33 
34 #include "threads.h"
35 #include "tm-threads.h"
36 #include "threadvars.h"
37 #include "util-debug.h"
38 
39 #include "decode-ipv4.h"
40 #include "detect-parse.h"
41 #include "detect-engine.h"
42 #include "detect-engine-mpm.h"
43 #include "detect-reference.h"
44 
45 #include "output.h"
46 #include "log-droplog.h"
47 
48 #include "util-unittest.h"
49 #include "util-unittest-helper.h"
51 #include "util-privs.h"
52 #include "util-print.h"
53 #include "util-proto-name.h"
54 #include "util-logopenfile.h"
55 #include "util-time.h"
56 
57 #define DEFAULT_LOG_FILENAME "drop.log"
58 
59 #define MODULE_NAME "LogDropLog"
60 
61 typedef struct LogDropLogThread_ {
62  /** LogFileCtx has the pointer to the file and a mutex to allow multithreading */
64  uint64_t drop_cnt;
66 
67 /**
68  * \brief Initialize the droplog thread
69  * \param t Pointer the current thread variable
70  * \param initdata pointer to the output context
71  * \param data Pointer to the pointer to droplog thread to be initialized
72  *
73  * \return TM_ECODE_OK on success
74  */
75 static TmEcode LogDropLogThreadInit(ThreadVars *t, const void *initdata, void **data)
76 {
77  if(initdata == NULL) {
78  SCLogDebug("Error getting context for LogDropLog. \"initdata\" argument NULL");
79  return TM_ECODE_FAILED;
80  }
81 
83  if (unlikely(dlt == NULL))
84  return TM_ECODE_FAILED;
85  memset(dlt, 0, sizeof(LogDropLogThread));
86 
87  /** Use the Ouptut Context (file pointer and mutex) */
88  dlt->file_ctx = ((OutputCtx *)initdata)->data;
89 
90  *data = (void *)dlt;
91  return TM_ECODE_OK;
92 }
93 
94 /**
95  * \brief Deinitialize the droplog thread
96  * \param t Pointer the current thread variable
97  * \param data Pointer to the droplog thread to be cleared
98  *
99  * \return TM_ECODE_OK on success
100  */
101 static TmEcode LogDropLogThreadDeinit(ThreadVars *t, void *data)
102 {
103  LogDropLogThread *dlt = (LogDropLogThread *)data;
104  if (dlt == NULL) {
105  return TM_ECODE_OK;
106  }
107 
108  /* clear memory */
109  memset(dlt, 0, sizeof(LogDropLogThread));
110 
111  SCFree(dlt);
112  return TM_ECODE_OK;
113 }
114 
115 /**
116  * \brief Destroy the LogFileCtx and cleared "drop" output module
117  *
118  * \param output_ctx pointer the output context to be cleared
119  */
120 static void LogDropLogDeInitCtx(OutputCtx *output_ctx)
121 {
123 
124  if (output_ctx != NULL) {
125  LogFileCtx *logfile_ctx = (LogFileCtx *)output_ctx->data;
126  if (logfile_ctx != NULL) {
127  LogFileFreeCtx(logfile_ctx);
128  }
129  SCFree(output_ctx);
130  }
131 }
132 
133 /**
134  * \brief Create a new LogFileCtx for "drop" output style.
135  * \param conf The configuration node for this output.
136  * \return A LogFileCtx pointer on success, NULL on failure.
137  */
138 static OutputInitResult LogDropLogInitCtx(ConfNode *conf)
139 {
141  "The drop log has been deprecated and will be removed by "
142  "June 2020. Please use eve-log.");
143 
144  OutputInitResult result = { NULL, false };
145  if (OutputDropLoggerEnable() != 0) {
146  SCLogError(SC_ERR_CONF_YAML_ERROR, "only one 'drop' logger "
147  "can be enabled");
148  return result;
149  }
150 
151  LogFileCtx *logfile_ctx = LogFileNewCtx();
152  if (logfile_ctx == NULL) {
153  SCLogDebug("LogDropLogInitCtx: Could not create new LogFileCtx");
154  return result;
155  }
156 
157  if (SCConfLogOpenGeneric(conf, logfile_ctx, DEFAULT_LOG_FILENAME, 1) < 0) {
158  LogFileFreeCtx(logfile_ctx);
159  return result;
160  }
161 
162  OutputCtx *output_ctx = SCCalloc(1, sizeof(OutputCtx));
163  if (unlikely(output_ctx == NULL)) {
164  LogFileFreeCtx(logfile_ctx);
165  return result;
166  }
167  output_ctx->data = logfile_ctx;
168  output_ctx->DeInit = LogDropLogDeInitCtx;
169 
170  result.ctx = output_ctx;
171  result.ok = true;
172  return result;
173 }
174 
175 /**
176  * \brief Log the dropped packets in netfilter format when engine is running
177  * in inline mode
178  *
179  * \param tv Pointer the current thread variables
180  * \param p Pointer the packet which is being logged
181  * \param data Pointer to the droplog struct
182  *
183  * \return return TM_EODE_OK on success
184  */
185 static int LogDropLogNetFilter (ThreadVars *tv, const Packet *p, void *data)
186 {
187  LogDropLogThread *dlt = (LogDropLogThread *)data;
188  uint16_t proto = 0;
189  char timebuf[64];
190 
191  CreateTimeString(&p->ts, timebuf, sizeof(timebuf));
192 
193  SCMutexLock(&dlt->file_ctx->fp_mutex);
194 
195  if (dlt->file_ctx->rotation_flag) {
196  dlt->file_ctx->rotation_flag = 0;
197  if (SCConfLogReopen(dlt->file_ctx) != 0) {
198  /* Rotation failed, error already logged. */
200  return TM_ECODE_FAILED;
201  }
202  }
203 
204  char srcip[46] = "";
205  char dstip[46] = "";
206 
207  if (PKT_IS_IPV4(p)) {
208  PrintInet(AF_INET, (const void *)GET_IPV4_SRC_ADDR_PTR(p), srcip, 16);
209  PrintInet(AF_INET, (const void *)GET_IPV4_DST_ADDR_PTR(p), dstip, 16);
210  fprintf(dlt->file_ctx->fp, "%s: IN= OUT= SRC=%s DST=%s LEN=%"PRIu16" "
211  "TOS=0x%02"PRIu8" TTL=%"PRIu8" ID=%"PRIu16"", timebuf,
212  srcip, dstip, IPV4_GET_IPLEN(p), IPV4_GET_IPTOS(p),
214  proto = IPV4_GET_IPPROTO(p);
215  } else if (PKT_IS_IPV6(p)) {
216  PrintInet(AF_INET6, (const void *)GET_IPV6_SRC_ADDR(p), srcip, sizeof(srcip));
217  PrintInet(AF_INET6, (const void *)GET_IPV6_DST_ADDR(p), dstip, sizeof(dstip));
218  fprintf(dlt->file_ctx->fp, "%s: IN= OUT= SRC=%s DST=%s LEN=%"PRIu16""
219  " TC=%"PRIu32" HOPLIMIT=%"PRIu8" FLOWLBL=%"PRIu32"", timebuf,
220  srcip, dstip, IPV6_GET_PLEN(p), IPV6_GET_CLASS(p),
222  proto = IPV6_GET_L4PROTO(p);
223  }
224 
225  if (SCProtoNameValid(proto) == TRUE) {
226  fprintf(dlt->file_ctx->fp, " PROTO=%s",known_proto[proto]);
227  } else {
228  fprintf(dlt->file_ctx->fp, " PROTO=%03"PRIu16"",proto);
229  }
230 
231  switch (proto) {
232  case IPPROTO_TCP:
233  if (PKT_IS_TCP(p)) {
234  fprintf(dlt->file_ctx->fp, " SPT=%"PRIu16" DPT=%"PRIu16" "
235  "SEQ=%"PRIu32" ACK=%"PRIu32" WINDOW=%"PRIu32"",
237  TCP_GET_ACK(p), TCP_GET_WINDOW(p));
238  fprintf(dlt->file_ctx->fp, TCP_ISSET_FLAG_SYN(p) ? " SYN" : "");
239  fprintf(dlt->file_ctx->fp, TCP_ISSET_FLAG_ACK(p) ? " ACK" : "");
240  fprintf(dlt->file_ctx->fp, TCP_ISSET_FLAG_PUSH(p) ? " PSH" : "");
241  fprintf(dlt->file_ctx->fp, TCP_ISSET_FLAG_RST(p) ? " RST" : "");
242  fprintf(dlt->file_ctx->fp, TCP_ISSET_FLAG_URG(p) ? " URG" : "");
243  fprintf(dlt->file_ctx->fp, TCP_ISSET_FLAG_FIN(p) ? " FIN" : "");
244  fprintf(dlt->file_ctx->fp, " RES=0x%02"PRIu8" URGP=%"PRIu16"",
246  }
247  break;
248  case IPPROTO_UDP:
249  if (PKT_IS_UDP(p)) {
250  fprintf(dlt->file_ctx->fp, " SPT=%"PRIu16" DPT=%"PRIu16""
251  " LEN=%"PRIu16"", UDP_GET_SRC_PORT(p),
253  }
254  break;
255  case IPPROTO_ICMP:
256  if (PKT_IS_ICMPV4(p)) {
257  fprintf(dlt->file_ctx->fp, " TYPE=%"PRIu8" CODE=%"PRIu8""
258  " ID=%"PRIu16" SEQ=%"PRIu16"", ICMPV4_GET_TYPE(p),
260  } else if (PKT_IS_ICMPV6(p)) {
261  fprintf(dlt->file_ctx->fp, " TYPE=%"PRIu8" CODE=%"PRIu8""
262  " ID=%"PRIu16" SEQ=%"PRIu16"", ICMPV6_GET_TYPE(p),
264  }
265  break;
266  default:
267  fprintf(dlt->file_ctx->fp," Unknown protocol");
268  }
269 
270  fprintf(dlt->file_ctx->fp,"\n");
271 
272  fflush(dlt->file_ctx->fp);
273 
274  dlt->drop_cnt++;
276 
277  return TM_ECODE_OK;
278 
279 }
280 
281 /**
282  * \brief Check if we need to drop-log this packet
283  *
284  * \param tv Pointer the current thread variables
285  * \param p Pointer the packet which is tested
286  *
287  * \retval bool TRUE or FALSE
288  */
289 static int LogDropCondition(ThreadVars *tv, const Packet *p)
290 {
291  if (!EngineModeIsIPS()) {
292  SCLogDebug("engine is not running in inline mode, so returning");
293  return FALSE;
294  }
295  if (PKT_IS_PSEUDOPKT(p)) {
296  SCLogDebug("drop log doesn't log pseudo packets");
297  return FALSE;
298  }
299 
300  if (p->flow != NULL) {
301  int ret = FALSE;
302  if (p->flow->flags & FLOW_ACTION_DROP) {
304  ret = TRUE;
305  else if (PKT_IS_TOCLIENT(p) && !(p->flow->flags & FLOW_TOCLIENT_DROP_LOGGED))
306  ret = TRUE;
307  }
308  return ret;
309  } else if (PACKET_TEST_ACTION(p, ACTION_DROP)) {
310  return TRUE;
311  }
312 
313  return FALSE;
314 }
315 
316 /**
317  * \brief Log the dropped packets when engine is running in inline mode
318  *
319  * \param tv Pointer the current thread variables
320  * \param data Pointer to the droplog struct
321  * \param p Pointer the packet which is being logged
322  *
323  * \retval 0 on succes
324  */
325 static int LogDropLogger(ThreadVars *tv, void *thread_data, const Packet *p)
326 {
327 
328  int r = LogDropLogNetFilter(tv, p, thread_data);
329  if (r < 0)
330  return -1;
331 
332  if (p->flow) {
333  if (p->flow->flags & FLOW_ACTION_DROP) {
336  else if (PKT_IS_TOCLIENT(p) && !(p->flow->flags & FLOW_TOCLIENT_DROP_LOGGED))
338  }
339  }
340  return 0;
341 }
342 
343 static void LogDropLogExitPrintStats(ThreadVars *tv, void *data)
344 {
345  LogDropLogThread *dlt = (LogDropLogThread *)data;
346  if (dlt == NULL) {
347  return;
348  }
349 
350  SCLogInfo("(%s) Dropped Packets %" PRIu64 "", tv->name, dlt->drop_cnt);
351 }
352 
353 /***************************** Unittests ****************************/
354 
355 #ifdef UNITTESTS
356 
357 /** \brief test if the action is drop then packet should be logged */
358 static int LogDropLogTest01(void)
359 {
360  int result = 0;
362 
363  uint8_t *buf = (uint8_t *) "GET /one/ HTTP/1.1\r\n"
364  "Host: one.example.org\r\n";
365 
366  uint16_t buflen = strlen((char *)buf);
367  Packet *p = NULL;
368  ThreadVars th_v;
369  DetectEngineThreadCtx *det_ctx;
370  LogDropLogThread dlt;
371  LogFileCtx *logfile_ctx = LogFileNewCtx();
372  if (logfile_ctx == NULL) {
373  printf("Could not create new LogFileCtx\n");
374  return 0;
375  }
376 
377  memset (&dlt, 0, sizeof(LogDropLogThread));
378  dlt.file_ctx = logfile_ctx;
379  dlt.file_ctx->fp = stdout;
380 
381  memset(&th_v, 0, sizeof(th_v));
382  p = UTHBuildPacket(buf, buflen, IPPROTO_TCP);
383 
385  if (de_ctx == NULL) {
386  return result;
387  }
388 
389  de_ctx->flags |= DE_QUIET;
390 
393 
394  de_ctx->sig_list = SigInit(de_ctx, "drop tcp any any -> any any "
395  "(msg:\"LogDropLog test\"; content:\"GET\"; Classtype:unknown; sid:1;)");
396 
397  SigGroupBuild(de_ctx);
398  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
399 
400  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
401  if (p->alerts.cnt == 1 && (PACKET_TEST_ACTION(p, ACTION_DROP)))
402  result = (strcmp(p->alerts.alerts[0].s->class_msg, "Unknown are we") == 0);
403 
404  if (LogDropCondition(NULL, p) == TRUE)
405  LogDropLogger(NULL, &dlt, p);
406 
407  if (dlt.drop_cnt == 0) {
408  printf("Packet should be logged but its not\n");
409  result = 0;
410  }
411 
412  SigGroupCleanup(de_ctx);
413  SigCleanSignatures(de_ctx);
414  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
415  DetectEngineCtxFree(de_ctx);
416 
417  UTHFreePackets(&p, 1);
419  return result;
420 }
421 
422 /** \brief test if the action is alert then packet shouldn't be logged */
423 static int LogDropLogTest02(void)
424 {
425  int result = 0;
427 
428  uint8_t *buf = (uint8_t *) "GET";
429 
430  uint16_t buflen = strlen((char *)buf);
431  Packet *p = NULL;
432  ThreadVars th_v;
433  DetectEngineThreadCtx *det_ctx;
434  LogDropLogThread dlt;
435  LogFileCtx *logfile_ctx = LogFileNewCtx();
436  if (logfile_ctx == NULL) {
437  printf("Could not create new LogFileCtx\n");
438  return 0;
439  }
440 
441  memset (&dlt, 0, sizeof(LogDropLogThread));
442  dlt.file_ctx = logfile_ctx;
443  dlt.file_ctx->fp = stdout;
444 
445  memset(&th_v, 0, sizeof(th_v));
446  p = UTHBuildPacket(buf, buflen, IPPROTO_UDP);
447 
449  if (de_ctx == NULL) {
450  return result;
451  }
452 
453  de_ctx->flags |= DE_QUIET;
454 
457 
458  de_ctx->sig_list = SigInit(de_ctx, "alert udp any any -> any any "
459  "(msg:\"LogDropLog test\"; content:\"GET\"; Classtype:unknown; sid:1;)");
460 
461  SigGroupBuild(de_ctx);
462  DetectEngineThreadCtxInit(&th_v, (void *)de_ctx, (void *)&det_ctx);
463 
464  SigMatchSignatures(&th_v, de_ctx, det_ctx, p);
465  if (p->alerts.cnt == 1 && p->alerts.alerts[0].action != ACTION_DROP)
466  result = (strcmp(p->alerts.alerts[0].s->class_msg, "Unknown are we") == 0);
467 
468  if (LogDropCondition(NULL, p) == TRUE)
469  LogDropLogger(NULL, &dlt, p);
470 
471  if (dlt.drop_cnt != 0) {
472  printf("Packet shouldn't be logged but it is\n");
473  result = 0;
474  }
475 
476  SigGroupCleanup(de_ctx);
477  SigCleanSignatures(de_ctx);
478  DetectEngineThreadCtxDeinit(&th_v, (void *)det_ctx);
479  DetectEngineCtxFree(de_ctx);
480 
481  UTHFreePackets(&p, 1);
482 
484  return result;
485 }
486 
487 /**
488  * \brief This function registers unit tests for AlertFastLog API.
489  */
490 static void LogDropLogRegisterTests(void)
491 {
492  UtRegisterTest("LogDropLogTest01", LogDropLogTest01);
493  UtRegisterTest("LogDropLogTest02", LogDropLogTest02);
494 }
495 #endif
496 
497 /** \brief function to register the drop log module */
499 {
501  LogDropLogInitCtx, LogDropLogger, LogDropCondition,
502  LogDropLogThreadInit, LogDropLogThreadDeinit, LogDropLogExitPrintStats);
503 #ifdef UNITTESTS
504  LogDropLogRegisterTests();
505 #endif
506 }
#define GET_IPV4_SRC_ADDR_PTR(p)
Definition: decode.h:214
#define TCP_GET_RAW_X2(tcph)
Definition: decode-tcp.h:71
char * known_proto[256]
uint8_t SCProtoNameValid(uint16_t proto)
Function to check if the received protocol number is valid and do we have corresponding name entry fo...
#define SCLogDebug(...)
Definition: util-debug.h:335
struct Flow_ * flow
Definition: decode.h:445
#define PACKET_TEST_ACTION(p, a)
Definition: decode.h:857
#define FALSE
#define PKT_IS_TOCLIENT(p)
Definition: decode.h:258
#define IPV4_GET_IPPROTO(p)
Definition: decode-ipv4.h:148
void LogDropLogRegister(void)
function to register the drop log module
Definition: log-droplog.c:498
#define unlikely(expr)
Definition: util-optimize.h:35
uint64_t drop_cnt
Definition: log-droplog.c:64
#define GET_IPV4_DST_ADDR_PTR(p)
Definition: decode.h:215
Signature * SigInit(DetectEngineCtx *, const char *)
Parses a signature and adds it to the Detection Engine Context.
#define UDP_GET_SRC_PORT(p)
Definition: decode-udp.h:36
Signature * sig_list
Definition: detect.h:767
uint8_t action
Definition: decode.h:271
#define FLOW_ACTION_DROP
Definition: flow.h:64
#define ICMPV6_GET_ID(p)
#define IPV6_GET_HLIM(p)
Definition: decode-ipv6.h:90
int OutputDropLoggerEnable(void)
Definition: output.c:851
#define PKT_IS_IPV6(p)
Definition: decode.h:252
#define TCP_GET_WINDOW(p)
Definition: decode-tcp.h:115
void SigCleanSignatures(DetectEngineCtx *de_ctx)
#define ICMPV6_GET_SEQ(p)
void(* DeInit)(struct OutputCtx_ *)
Definition: tm-modules.h:84
#define MODULE_NAME
Definition: log-droplog.c:59
TmEcode DetectEngineThreadCtxInit(ThreadVars *, void *, void **)
initialize thread specific detection engine context
LogFileCtx * file_ctx
Definition: log-droplog.c:63
TCPHdr * tcph
Definition: decode.h:522
int EngineModeIsIPS(void)
Definition: suricata.c:247
#define ICMPV4_GET_TYPE(p)
#define TRUE
#define ICMPV4_GET_SEQ(p)
#define SCMutexLock(mut)
#define PKT_IS_IPV4(p)
Definition: decode.h:251
main detection engine ctx
Definition: detect.h:761
#define TCP_ISSET_FLAG_SYN(p)
Definition: decode-tcp.h:121
TmEcode DetectEngineThreadCtxDeinit(ThreadVars *, void *)
PacketAlert alerts[PACKET_ALERT_MAX]
Definition: decode.h:294
const struct Signature_ * s
Definition: decode.h:273
#define DE_QUIET
Definition: detect.h:292
#define ICMPV6_GET_CODE(p)
#define SCCalloc(nm, a)
Definition: util-mem.h:253
#define TCP_GET_SEQ(p)
Definition: decode-tcp.h:113
void OutputRegisterPacketModule(LoggerId id, const char *name, const char *conf_name, OutputInitFunc InitFunc, PacketLogger PacketLogFunc, PacketLogCondition PacketConditionFunc, ThreadInitFunc ThreadInit, ThreadDeinitFunc ThreadDeinit, ThreadExitPrintStatsFunc ThreadExitPrintStats)
Register a packet output module.
Definition: output.c:163
#define SCMutexUnlock(mut)
#define IPV6_GET_PLEN(p)
Definition: decode-ipv6.h:88
uint8_t flags
Definition: detect.h:762
#define GET_IPV6_DST_ADDR(p)
Definition: decode.h:220
#define TCP_ISSET_FLAG_URG(p)
Definition: decode-tcp.h:125
#define SCLogError(err_code,...)
Macro used to log ERROR messages.
Definition: util-debug.h:294
int SigGroupBuild(DetectEngineCtx *de_ctx)
Convert the signature list into the runtime match structure.
#define PKT_IS_ICMPV6(p)
Definition: decode.h:256
void UtRegisterTest(const char *name, int(*TestFn)(void))
Register unit test.
#define IPV6_GET_FLOW(p)
Definition: decode-ipv6.h:84
void SigMatchSignatures(ThreadVars *th_v, DetectEngineCtx *de_ctx, DetectEngineThreadCtx *det_ctx, Packet *p)
wrapper for old tests
Definition: detect.c:1669
SCMutex fp_mutex
void SCClassConfLoadClassficationConfigFile(DetectEngineCtx *de_ctx, FILE *fd)
Loads the Classtype info from the classification.config file.
Packet * UTHBuildPacket(uint8_t *payload, uint16_t payload_len, uint8_t ipproto)
UTHBuildPacket is a wrapper that build packets with default ip and port fields.
LogFileCtx * LogFileNewCtx(void)
LogFileNewCtx() Get a new LogFileCtx.
#define PKT_IS_TOSERVER(p)
Definition: decode.h:257
#define IPV6_GET_CLASS(p)
Definition: decode-ipv6.h:82
#define UDP_GET_LEN(p)
Definition: decode-udp.h:35
int SCConfLogOpenGeneric(ConfNode *conf, LogFileCtx *log_ctx, const char *default_filename, int rotate)
open a generic output "log file", which may be a regular file or a socket
const char * PrintInet(int af, const void *src, char *dst, socklen_t size)
Definition: util-print.c:267
int SigGroupCleanup(DetectEngineCtx *de_ctx)
#define FLOW_TOCLIENT_DROP_LOGGED
Definition: flow.h:74
uint8_t proto
#define SCLogWarning(err_code,...)
Macro used to log WARNING messages.
Definition: util-debug.h:281
#define IPV6_GET_L4PROTO(p)
Definition: decode-ipv6.h:93
char * class_msg
Definition: detect.h:583
#define IPV4_GET_IPLEN(p)
Definition: decode-ipv4.h:127
Definition: conf.h:32
#define TCP_ISSET_FLAG_RST(p)
Definition: decode-tcp.h:122
OutputCtx * ctx
Definition: output.h:42
#define SCMalloc(a)
Definition: util-mem.h:222
#define GET_IPV6_SRC_ADDR(p)
Definition: decode.h:219
int LogFileFreeCtx(LogFileCtx *lf_ctx)
LogFileFreeCtx() Destroy a LogFileCtx (Close the file and free memory)
#define SCLogInfo(...)
Macro used to log INFORMATIONAL messages.
Definition: util-debug.h:254
#define ICMPV4_GET_ID(p)
#define SCFree(a)
Definition: util-mem.h:322
#define PKT_IS_TCP(p)
Definition: decode.h:253
#define TCP_ISSET_FLAG_ACK(p)
Definition: decode-tcp.h:124
void EngineModeSetIDS(void)
Definition: suricata.c:262
#define UDP_GET_DST_PORT(p)
Definition: decode-udp.h:37
void OutputDropLoggerDisable(void)
Definition: output.c:859
#define ICMPV6_GET_TYPE(p)
void * data
Definition: tm-modules.h:81
#define PKT_IS_ICMPV4(p)
Definition: decode.h:255
#define GET_TCP_DST_PORT(p)
Definition: decode.h:222
#define IPV4_GET_IPTOS(p)
Definition: decode-ipv4.h:125
int SCConfLogReopen(LogFileCtx *log_ctx)
Reopen a regular log file with the side-affect of truncating it.
PacketAlerts alerts
Definition: decode.h:555
char name[16]
Definition: threadvars.h:59
#define TCP_GET_URG_POINTER(p)
Definition: decode-tcp.h:116
#define PKT_IS_PSEUDOPKT(p)
return 1 if the packet is a pseudo packet
Definition: decode.h:1132
struct LogDropLogThread_ LogDropLogThread
#define TCP_ISSET_FLAG_PUSH(p)
Definition: decode-tcp.h:123
uint16_t cnt
Definition: decode.h:293
#define PKT_IS_UDP(p)
Definition: decode.h:254
Per thread variable structure.
Definition: threadvars.h:57
struct timeval ts
Definition: decode.h:451
#define DEFAULT_LOG_FILENAME
Definition: log-droplog.c:57
#define ACTION_DROP
#define TCP_GET_ACK(p)
Definition: decode-tcp.h:114
#define TCP_ISSET_FLAG_FIN(p)
Definition: decode-tcp.h:120
#define GET_TCP_SRC_PORT(p)
Definition: decode.h:221
void DetectEngineCtxFree(DetectEngineCtx *)
Free a DetectEngineCtx::
void UTHFreePackets(Packet **p, int numpkts)
UTHFreePackets: function to release the allocated data from UTHBuildPacket and the packet itself...
void EngineModeSetIPS(void)
Definition: suricata.c:257
#define IPV4_GET_IPID(p)
Definition: decode-ipv4.h:129
FILE * SCClassConfGenerateValidDummyClassConfigFD01(void)
Creates a dummy classification file, with all valid Classtypes, for testing purposes.
uint32_t flags
Definition: flow.h:379
#define FLOW_TOSERVER_DROP_LOGGED
Definition: flow.h:72
void CreateTimeString(const struct timeval *ts, char *str, size_t size)
Definition: util-time.c:245
DetectEngineCtx * DetectEngineCtxInit(void)
#define IPV4_GET_IPTTL(p)
Definition: decode-ipv4.h:146
#define ICMPV4_GET_CODE(p)